Cloudflare Security Headers Guide

Deploying HTTP response headers (like CSP, HSTS, and X-Content-Type-Options) is critical for securing site traffic. By utilizing Cloudflare Transform Rules, you can inject these secure headers at the edge, saving CPU overhead at your origin.

1. How to Inject Headers with Transform Rules

Inside Cloudflare, navigate to **Rules > Transform Rules > Modify Response Header**. Create a new rule targeting all incoming traffic and append the desired secure headers (such as `Strict-Transport-Security` and `Content-Security-Policy`).

Identify exactly which headers your domain is currently missing using our:

Access Security Headers Advisor

2. Preventing CSP Crawling Anomalies

Content Security Policies (CSPs) are excellent for blocking cross-site scripting (XSS), but restrictive policies can mistakenly block Google's rendering assets. Ensure that your directives grant access to verified search crawlers.

Audit your pages for broken JavaScript assets and vulnerabilities using our:

Run JS Vulnerability Scan